Subscribe
Once launched, the virus creates a unique encryption key, and saves it to the system registry:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion] "WinCode" = "If your computer does not have an up-to-date antivirus, or does not have an antivirus solution at all, follow the instructions below to delete the malicious program:
- Modify the system registry key value by adding any symbol to the end of the name of the malicious module: Example:
[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon] "UserInit" = "%System%\userinit.exe, %System%\ntos.exe_"- Reboot the computer.
- Manually delete the files listed below from the Windows system directory:
ntos.exe- If the malicious program has encrypted files on your machine, you can use Kaspersky Lab's free utility to decrypt them. Instructions and the utility itself can be found on the KL technical support site. Make sure you read the instructions carefully. Entering the wrong key could cause files to be irrevocably damaged.
- Update your antivirus databases and perform a full scan of the computer (download a trial version of Kaspersky Anti-Virus).
This malicious program encrypts files on the victim machine. It is a Windows PE EXE file. It is packed using UPX. The unpacked file is 58,368 bytes in size.
The executable file of known variants of this virus are called "ntos.exe".
Payload
Hot Articles